back to article Cisco SMB kit harbors cross-site scripting bug: One wrong link click... and that's your router pwned remotely

Cisco has patched a cross-site scripting vulnerability in two VPN routers it sells to small businesses and branch offices. The software update addresses CVE-2020-3431, a bug present in the Cisco Small Business RV042 Dual WAN VPN Router and Cisco Small Business RV042G Dual Gigabit WAN VPN Router. We're told this flaw can be …

  1. Anonymous Coward
    Anonymous Coward

    Cisco said it was "not aware of any public announcements or malicious use of the vulnerability."

    Oh, good. Because usually internet miscreants and criminals keep Cisco fully in the loop when exploiting vulnerabilities in Cisco equipment.

  2. Mike 137 Silver badge

    Old as the hills and still being perpetrated

    "The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software."

    When, oh when, will developers accept that specific white list based context dependent validation is essential for every input?

    It's far from sufficient to declare that you "haven't heard of our cock-up being abused", particularly as it's so simple to avoid making it in the first place.

    Anyone heard of OWASP?

    1. HildyJ Silver badge
      FAIL

      Re: Old as the hills and still being perpetrated

      It's much, much older than that. It predates OWASP, the GPL, Linux, and even GNU.

      It used to be called GIGO (Garbage In, Garbage Out) and it was taught in introductory COBOL when I learned it in the 70s. We were taught that all inputs needed to be verified and intermediate results needed to be bounds checked.

      The term dates to 1957 when William Mellin wrote "sloppily programmed inputs inevitably lead to incorrect outputs." I think that sums it up.

      N.B. Old Brits may know it as RIRO (Rubbish In Rubbish Out) but, to me, that sounds like something Scooby-Doo would say.

      1. Claptrap314 Silver badge

        Re: Old as the hills and still being perpetrated

        Wait. You already had my upvote BEFORE RIRO. Now what do I do?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020